You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/12/17 22:09:46 UTC

[GitHub] [airflow] kaxil commented on pull request #20346: Fix inconsitencies in checking edit permissions for a DAG

kaxil commented on pull request #20346:
URL: https://github.com/apache/airflow/pull/20346#issuecomment-997060038


   > Fwiw, this isn't how permissions are documented: https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html#dag-level-permissions
   > 
   > Have we tried this in an instance with a large number of DAGs?
   
   `current_app.appbuilder.sm.get_editable_dag_ids(g.user)` logically does the same thing what existed before the PR change too -- however instead of checking the permission in the view, it hands of the permissions of doing it to the Security Manager. So if you have "can_edit" permission on the "DAG" resource, a user will by default still be able to edit/pause all the dags.
   
   re: Optimization -- we have a short-circuit too, i.e. as soon as we find "can_edit" on "DAG" we return, check the following source:
   
   Source Code:
   https://github.com/apache/airflow/blob/fc0fb22c120a7c12426ecaf6254159e7daf2de9e/airflow/www/security.py#L288-L290
   https://github.com/apache/airflow/blob/fc0fb22c120a7c12426ecaf6254159e7daf2de9e/airflow/www/security.py#L320-L322


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org